Ssl – Google G Suite: Root Domain Redirection With SSL

g-suitegoogle-cloud-platformssl

I have a .ai domain and I'm using Google Cloud DNS as the domain name servers. I'm also registered with G-Suite. My domain services work (e.g. www.example.com, mail.example.com), and the redirect works as well – but not with SSL.

From G-Suite admin -> domain section, I have setup root domain redirection:
"Primary Domain" / "You can change your primary domain by switching it with an active secondary domain."

"Redirect the naked domain http://example.ai to http://www.example.ai"

Then I followed the "Changing the A-record for your domain" – I added the A-record (4 destination IPs) to my domain via Google Cloud DNS.

The direction http://example.ai to http://www.example.ai works correctly, but https://example.ai fails to connect.

I guess this makes sense because in order for this to work Google would need my SSL certificate. Any ideas if this is solvable? Note: I need this regardless of "Google App Engine".

Best Answer

The naked domain redirect docs apply only to Google Sites hosted websites:

If you build a Google Site and map it to a custom address such as www.yourdomain.com...

It only works if your www record is already pointing to ghs.googlehosted.com which in your case, it isn't.

If your www record points to a site on Amazon S3, then you'd want to follow the documentation at Root Domain Support on Amazon S3 Hosted Websites. Since you're using Google for DNS only, you can treat it as any other DNS provider for configuration purposes without needing to give Google your TLS certificate.

Edit: Amazon does not provide A / AAAA records for root domain redirection, and instead requires you to use their own Route53 DNS service for this. Google's redirect is only intended to work with Google hosted services (because Google will have the TLS cert), otherwise you end up uploading your cert to multiple hosts if it works at all.

Related Solutions

How Google apps domain is being set up for naked domain redirection

Looks like it:

$ host vekslers.org
vekslers.org has address 216.239.32.21

$ curl -D- VEKSLERS.ORG
HTTP/1.1 302 Found
Location: http://www.vekslers.org/
Date: Fri, 01 Oct 2010 14:27:22 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 221

216.239.32.21 is owned by google, so it looks like they are emitting the redirect to www.vekslers.org.

When they say they do not handle "naked" domains I think they mean you cannot serve your site from a naked domain. Instead you have to let them redirect the naked address to the non-naked one as they are doing above.

Ssl – Route 53 Naked/Root Domain Alias Record

Because you will configure the S3 bucket to send a 301 redirect to www.example.com if you follow Amazon's directions, you will wind up with SSL certificate warnings if someone uses the non-www form. As far as I can tell, Amazon provides no way for you to provide your SSL certificate in this circumstance.

DNSimple has a different implementation which, instead of sending a 301 redirect, sends visitors directly to the IP address of the Heroku app (which, presumably, they look up dynamically). This works as long as Heroku is expecting it.

Best Answer

Related Solutions

How Google apps domain is being set up for naked domain redirection

Ssl – Route 53 Naked/Root Domain Alias Record

Related Topic